Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > DoD hacked Facebook? Trackback explained

Reply
Thread Tools

DoD hacked Facebook? Trackback explained

 
 
Anonymous Remailer (austria)
Guest
Posts: n/a
 
      01-26-2011

"Mark Zuckerberg Facebook fan page hack: who was behind it?"

http://www.guardian.co.uk/technology...rk-zuckerberg-
facebook-fan-hack-investigation

" ... Let's follow up some of the trail left in the Mark Zuckerberg
Facebook fan page hacking incident.

The only – and best clue – is the link left by the hacker in the status
update posted on Zuckerberg's wall, which reads "Let the hacking begin:
if facebook needs money, instead of going to the banks, why doesn't
Facebook let its user invest in Facebook in a social way? Why not
transform Facebook into a 'social business' the way Nobel Price [sic]
winner Muhammad Yunus described it? http://bit.ly/f26rT3 What do you
think? #hackercup2011"

That contains a bit.ly link. Well, you can find out what the original
URL is by adding a plus on the end, so: http://bit.ly/fs6rT3+ From
which we can see that about 17,000 people clicked the link. Not bad
(though we have to say that Julian Assange gets more clicks when he
appears on the Guardian ... but we digress).

The original, shortened link was actually: http://en.wikipedia.org/wiki/
Social_business?
h=d044aeb71f4e466a552708fc6e3863ef&thanksforthecup =https://
http://www.facebook.com/photo.php%3F...6636768%26fbid
%3D170535036312026

Let's begin with the second part of the long link – the part that
starts "thanksforthecup": it's URL-encoded (so "%3D" actually stands
for the character "=", "%26" for "&") and leads to a Facebook photo
page for the Hacker Cup, a competition run by Facebook itself. So the
hacker is saying he thinks he should get the cup. OK, we get it.

Now, back to the first part. If you just click the link, you'll be
taken to Wikipedia's page about social business. But not the latest
version – to a specific version in its edit history. That is, to http://
en.wikipedia.org/wiki/Social_business?
h=d044aeb71f4e466a552708fc6e3863ef – which is not the same, now, as
http://en.wikipedia.org/wiki/Social_business. If you open them in two
tabs, or just open the first in a tab and click on the "Article" link
in the top left, you'll see it. Go back and forth a couple of times and
you might spot the difference. Yes? No? Have a look at this difference
page, then. (And look at how it was before that edit.)

Yup, the difference is the addition in the first sentence. Usually,
that reads:

"A '''social business''' is a non-loss, non-dividend company designed
to address a social objective"

But in the edited (older) version that you get sent to, the phrase

" much like [http://www.romanstwelve.net www.romanstwelve.net]"

has been added. (The square brackets turn the text into a link going
out to romanstwelve.net). And what does that site do? It offers "total
web consulting" and is based in Pickerington, Ohio.

Crucially, as the picture shows, that edit was only on Wikipedia for
two minutes on Tuesday 25 – between 19.17EST and 19.19EST – indicating
that the hacker must have created the edit with the link and then
deleted it straight afterwards, but kept the link to the version he had
edited. Then he encoded the link for the photo and attached it to the
Wikipedia link, and stuffed the whole lot into bit.ly. Then, having got
the shortened link, he went and updated the status on the fan page. The
timing of the change, and its reversion, indicates that this was the
same person. You don't accidentally link to an old version of a page;
you'd link to the generic version.

In other words, we might be able to find the hacker if we can find out
who changed the Wikipedia page. Unfortunately, it wasn't done by a
registered user. But because of Wikipedia's clever tracking system, you
can see the IP of non-registered users: there it is at the top of the
edit page in the screenshot: 131.74.110.168. You can also see what
articles machines at that IP address have edited – a very mixed bag–-
and also how edits from that IP have been increasingly smacked down by
Wikipedia editors (latest on that page coming from October 2009:
"Please stop your disruptive editing. If you continue to vandalise
Wikipedia, as you did at Lyoto Machida, you will be blocked from
editing."

So who's behind 131.74.110.168? A quick whois query tells you that
it... the US department of defence in Williamsburg.

In other words: this might be someone in the military. Most likely
those edits don't come from one person – they come from all sorts of
people in the Williamsburg location. Or, just as possible, it was
someone who had hacked into the computers there from outside (not as
difficult as you'd hope it would be) and is using them as a proxy to
make the Wikipedia edit, and, quite possibly, hack Zuckerberg's page.
(We've asked Facebook whether Zuckerberg's page was accessed from that
IP, but haven't had an answer yet.)

That's about all the clues we have: a US DOD IP, a transient Wikipedia
page, and a link to a web consulting business. We asked Jeremy Reger,
of Romanstwelve, if he was involved with or knew who was behind the
hacking. His answer is an emphatic no: "Hackers don't link to pages who
then link to pages. I do not have any idea who did the hack." He added:
"I'm sure Facebook would confirm that the IP [address] in the wiki
history in not the same IP that "hacked" the fan page."

That remains to be seen. For now, all we have are the pieces of the
hack. Can anyone add more?

 
Reply With Quote
 
 
 
 
Ari Silverstein
Guest
Posts: n/a
 
      01-26-2011
On Wed, 26 Jan 2011 20:15:52 +0100 (CET), Anonymous Remailer (austria)
wrote:

> So who's behind 131.74.110.168? A quick whois query tells you that
> it... the US department of defence in Williamsburg.


More specifically the Logistics Agency which handles pay and
employment. It might be of interest that we have CAC access to the
DLA since we have to coordinate through a range of IPs with MyPay.

IOW, I am your hacker.

*LOL*

> In other words: this might be someone in the military.


Or not. See above.

> Most likely
> those edits don't come from one person – they come from all sorts of
> people in the Williamsburg location.


Or not. See above.

> Or, just as possible, it was
> someone who had hacked into the computers there from outside (not as
> difficult as you'd hope it would be) and is using them as a proxy to
> make the Wikipedia edit, and, quite possibly, hack Zuckerberg's page.


Or not. See above.

> (We've asked Facebook whether Zuckerberg's page was accessed from that
> IP, but haven't had an answer yet.)


duh.
--
´If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ˇ ~Cardinal
Richelieu
 
Reply With Quote
 
 
 
 
Art
Guest
Posts: n/a
 
      01-26-2011
Ari Silverstein wrote:

> On Wed, 26 Jan 2011 20:15:52 +0100 (CET), Anonymous Remailer (austria)
> wrote:
>
> > So who's behind 131.74.110.168? A quick whois query tells you that
> > it... the US department of defence in Williamsburg.

>
> More specifically the Logistics Agency which handles pay and
> employment. It might be of interest that we have CAC access to the
> DLA since we have to coordinate through a range of IPs with MyPay.
>


What does CAC access have to do with this ?

 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      01-27-2011
On Wed, 26 Jan 2011 18:07:47 -0500, Art wrote:

> Ari Silverstein wrote:
>
>> On Wed, 26 Jan 2011 20:15:52 +0100 (CET), Anonymous Remailer (austria)
>> wrote:
>>
>>> So who's behind 131.74.110.168? A quick whois query tells you that
>>> it... the US department of defence in Williamsburg.

>>
>> More specifically the Logistics Agency which handles pay and
>> employment. It might be of interest that we have CAC access to the
>> DLA since we have to coordinate through a range of IPs with MyPay.
>>

>
> What does CAC access have to do with this ?


If you have to ask, then you haven't a clue about the requirements to
enter a secured .mil domain.
--
´If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ˇ ~Cardinal
Richelieu
 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      01-27-2011
Ari Silverstein wrote:

> On Wed, 26 Jan 2011 18:07:47 -0500, Art wrote:
>
> > Ari Silverstein wrote:
> >
> >> On Wed, 26 Jan 2011 20:15:52 +0100 (CET), Anonymous Remailer (austria)
> >> wrote:
> >>
> >>> So who's behind 131.74.110.168? A quick whois query tells you that
> >>> it... the US department of defence in Williamsburg.
> >>
> >> More specifically the Logistics Agency which handles pay and
> >> employment. It might be of interest that we have CAC access to the
> >> DLA since we have to coordinate through a range of IPs with MyPay.
> >>

> >
> > What does CAC access have to do with this ?

>
> If you have to ask, then you haven't a clue about the requirements to
> enter a secured .mil domain.
>


Dude I am fully aware of DoD PKE. I have had a CAC for most of the last
decade and know how to provision AD for CCL, have used all CAC middleware
from NetSIGN through ActivClient, I know what it takes to deal with encrypted
email when transitioning CACs and know what it takes for CAC related SSO.
Even my home PC is CAC compliant.

Now what does CAC have to do with this subject matter ?


 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      01-27-2011
On Wed, 26 Jan 2011 19:51:53 -0500, Art wrote:

> Ari Silverstein wrote:
>
>> On Wed, 26 Jan 2011 18:07:47 -0500, Art wrote:
>>
>>> Ari Silverstein wrote:
>>>
>>>> On Wed, 26 Jan 2011 20:15:52 +0100 (CET), Anonymous Remailer (austria)
>>>> wrote:
>>>>
>>>>> So who's behind 131.74.110.168? A quick whois query tells you that
>>>>> it... the US department of defence in Williamsburg.
>>>>
>>>> More specifically the Logistics Agency which handles pay and
>>>> employment. It might be of interest that we have CAC access to the
>>>> DLA since we have to coordinate through a range of IPs with MyPay.
>>>>
>>>
>>> What does CAC access have to do with this ?

>>
>> If you have to ask, then you haven't a clue about the requirements to
>> enter a secured .mil domain.
>>

>
> Dude I am fully aware of DoD PKE. I have had a CAC for most of the last
> decade and know how to provision AD for CCL, have used all CAC middleware
> from NetSIGN through ActivClient, I know what it takes to deal with encrypted
> email when transitioning CACs and know what it takes for CAC related SSO.
> Even my home PC is CAC compliant.
>
> Now what does CAC have to do with this subject matter ?


Asked and answered and if you are as astute as you say, why not log in
to DLA's 131.74.110.168 DNS and Google Group a response back to us.
--
´If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ˇ ~Cardinal
Richelieu
 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      01-27-2011
Ari Silverstein wrote:

> On Wed, 26 Jan 2011 19:51:53 -0500, Art wrote:
>
> > Ari Silverstein wrote:
> >
> >> On Wed, 26 Jan 2011 18:07:47 -0500, Art wrote:
> >>
> >>> Ari Silverstein wrote:
> >>>
> >>>> On Wed, 26 Jan 2011 20:15:52 +0100 (CET), Anonymous Remailer (austria)
> >>>> wrote:
> >>>>
> >>>>> So who's behind 131.74.110.168? A quick whois query tells you that
> >>>>> it... the US department of defence in Williamsburg.
> >>>>
> >>>> More specifically the Logistics Agency which handles pay and
> >>>> employment. It might be of interest that we have CAC access to the
> >>>> DLA since we have to coordinate through a range of IPs with MyPay.
> >>>>
> >>>
> >>> What does CAC access have to do with this ?
> >>
> >> If you have to ask, then you haven't a clue about the requirements to
> >> enter a secured .mil domain.
> >>

> >
> > Dude I am fully aware of DoD PKE. I have had a CAC for most of the last
> > decade and know how to provision AD for CCL, have used all CAC middleware
> > from NetSIGN through ActivClient, I know what it takes to deal with encrypted
> > email when transitioning CACs and know what it takes for CAC related SSO.
> > Even my home PC is CAC compliant.
> >
> > Now what does CAC have to do with this subject matter ?

>
> Asked and answered and if you are as astute as you say, why not log in
> to DLA's 131.74.110.168 DNS and Google Group a response back to us.
>


Right. You are just throwing that in to make you look like you know something.
You haven't answered anything.

You don't know shite. You are just a bloody troll Ari.






 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      01-27-2011
On Wed, 26 Jan 2011 20:44:16 -0500, Art wrote:

> Ari Silverstein wrote:
>
>> On Wed, 26 Jan 2011 19:51:53 -0500, Art wrote:
>>
>>> Ari Silverstein wrote:
>>>
>>>> On Wed, 26 Jan 2011 18:07:47 -0500, Art wrote:
>>>>
>>>>> Ari Silverstein wrote:
>>>>>
>>>>>> On Wed, 26 Jan 2011 20:15:52 +0100 (CET), Anonymous Remailer (austria)
>>>>>> wrote:
>>>>>>
>>>>>>> So who's behind 131.74.110.168? A quick whois query tells you that
>>>>>>> it... the US department of defence in Williamsburg.
>>>>>>
>>>>>> More specifically the Logistics Agency which handles pay and
>>>>>> employment. It might be of interest that we have CAC access to the
>>>>>> DLA since we have to coordinate through a range of IPs with MyPay.
>>>>>>
>>>>>
>>>>> What does CAC access have to do with this ?
>>>>
>>>> If you have to ask, then you haven't a clue about the requirements to
>>>> enter a secured .mil domain.
>>>>
>>>
>>> Dude I am fully aware of DoD PKE. I have had a CAC for most of the last
>>> decade and know how to provision AD for CCL, have used all CAC middleware
>>> from NetSIGN through ActivClient, I know what it takes to deal with encrypted
>>> email when transitioning CACs and know what it takes for CAC related SSO.
>>> Even my home PC is CAC compliant.
>>>
>>> Now what does CAC have to do with this subject matter ?

>>
>> Asked and answered and if you are as astute as you say, why not log in
>> to DLA's 131.74.110.168 DNS and Google Group a response back to us.
>>

>
> You are just throwing that in to make you look like you know something.


You said: "Dude I am fully aware of DoD PKE. I have had a CAC for
most of the last decade and know how to provision AD for CCL, have
used all CAC middleware from NetSIGN through ActivClient, I know what
it takes to deal with encrypted email when transitioning CACs and
know what it takes for CAC related SSO. Even my home PC is CAC
compliant."

Nice copy and paste from NIMC. *LOL*

You are just throwing that in to make you look like you know
something.

> You haven't answered anything.


I have a long, recorded history of speaking on this subject and you?
Not a ****ing thing.

> You don't know shite. You are just a bloody troll Ari.


Don't let the door kiss your ass on the way out then. "Art".
--
´If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ˇ ~Cardinal
Richelieu
 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      01-27-2011
>
> >> Asked and answered and if you are as astute as you say, why not log in
> >> to DLA's 131.74.110.168 DNS and Google Group a response back to us.
> >>

> >
> > You are just throwing that in to make you look like you know something.

>
> You said: "Dude I am fully aware of DoD PKE. I have had a CAC for
> most of the last decade and know how to provision AD for CCL, have
> used all CAC middleware from NetSIGN through ActivClient, I know what
> it takes to deal with encrypted email when transitioning CACs and
> know what it takes for CAC related SSO. Even my home PC is CAC
> compliant."
>
> Nice copy and paste from NIMC. *LOL*
>
> You are just throwing that in to make you look like you know
> something.
>
> > You haven't answered anything.

>
> I have a long, recorded history of speaking on this subject and you?
> Not a ****ing thing.
>
> > You don't know shite. You are just a bloody troll Ari.

>
> Don't let the door kiss your ass on the way out then. "Art".
> --
> ´If you give me six lines written by the hand of the most honest of
> men, I will find something in them which will hang him.ˇ ~Cardinal
> Richelieu


Copy and paste my asss. I wrote that from the top of my head. Just I like I know
that if you want to force your AGM platform to lock the screen when you pull your CAC
you set
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
scremoveoption =1

Of course I'm posting with a 'nym as I'm practicing OPSEC so don't expect this 'nym
to express prior GIG content. Don't expect this 'nym to exist much longer either.

Answer these questions:
A) What is the date CTO 07-015 poem is due ?

CN=DOD CA-24,OU=PKI,OU=DoD,O=U.S. Government,C=US
GemCombiXpresso R4 E72PK
B) Where does the above come from ?

C) Under the JKO Learning Management System, what is the 6th J3T training module one
can enroll in ?

D) Subsequent to one getting a new CAC on AGM 9.x, what are the THREE basic
constructs one needs to perform ?

E) Why do I need Tumbleweed ?





 
Reply With Quote
 
Ari Silverstein
Guest
Posts: n/a
 
      01-27-2011
On Thu, 27 Jan 2011 00:46:15 -0500, Art wrote:

> Answer these questions:
> A) What is the date CTO 07-015 poem is due ?


Oooh, wait, you're still here. yYu must have me confused with a
cubicle jailed coder like yourself. No, no, my little one. I suggest
you do your homework on me.

I *hire* coders.

Ta ta.
--
´If you give me six lines written by the hand of the most honest of
men, I will find something in them which will hang him.ˇ ~Cardinal
Richelieu
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
skip Trackback error for ftp checking moonhkt Python 3 11-12-2012 10:23 AM
How do you not include the trackback URL when using RSS/Maker? Patrick Lajeunesse Ruby 0 07-10-2009 02:16 AM
Re: disk wipe---DOD short wipe versus DOD long wipe John O A+ Certification 0 06-13-2008 01:52 AM
Re: disk wipe---DOD short wipe versus DOD long wipe John O A+ Certification 1 06-05-2008 12:02 AM
Blogging Components: Trackback and Pingback Protocols Mark Olbert ASP .Net 2 12-05-2003 02:38 AM



Advertisments